\section{Introduction} \label{sec:introduction}


%- Access control security vs compromise performance
%- Define acces control in xacml setting (subject action resource)
%- Situation of our approach Context evaluations previous approach + contribution dimensions
%- Main idea + open reserach issues
%-Structure




%In addition, fine-grained access control mechanisms must both comply with three access control architectural requirements \cite{scalabilityaccesscontrol}:
%scalability, transparency, and optimization of request evaluation.


Should we sacrifice performance when considering some security requirements such as implementing access control mechanisms?
IT experts would answer ``Absolutely not, in today's competitive market, this would impact the business''. However, what happens
in real systems of access control management is that organizations with divisionalised structures and workflow, several datatypes and
heterogenous
resources have a significant growth of their access control policies \cite{policymanagement}.
These access control policies define rules to regulate access control rights \cite{acp}; explosion of the access rights to be computed at
runtime may dramatically degrade the decision-making time, leading to performance bottlenecks and impacting service availability.

%which may reflect a complex structure of an organization, with its structure and its
%assets variety, this can lead to deal with access control policies intricate in design,

Few companies would agree to pay the price for improving
their security if doing so degrades performance in such a way that it impacts users' satisfaction. However, this performance
problem is crucial for the adoption of security policies in deployment of real-world information systems:
a solution must comply both with some requirements of access control architectures~\cite{scalabilityaccesscontrol} such as
scalability and transparency, and with optimal decision-making time.




In practice, access control architectures often follow a popular architectural concept, which separates a Policy Enforcement Point (PEP) from a Policy Decision Point (PDP) \cite{separation}.
More specifically, the PEP is located inside the application (i.e., business logic of the system) and formulates requests.
The PDP encapsulates the policy. The PDP then receives requests from the PEP and returns evaluation responses (e.g., permit or deny) by evaluating these requests against rules in the policy.
This architecture enables to facilitate managing access rights in a fine-grained way since this architecture
decouples the business logic from access control decision logic, which can be standardized. In this architecture,
the policy is centralized in one point, the PDP. Centralization of the PDP offers advantages such as
facilitating managing and maintaining the policy, which is encapsulated in a single PDP. However, such centralization can be a pitfall for degrading
performance since the PDP manages all of access rights to be evaluated by requests issued by PEPs.


To address the performance issue, we propose a mechanism for refactoring access control policies to reduce
the request evaluation time and enable to preserve the synergy property in the access control architecture. In this paper, we define this property as the cardinality-based feature that
characterizes the association between the PEPs and the PDP. This association impacts the way that PEPs interact with the PDP. We assume that this property holds if the association
between the PEPs and the PDPs enables to map each PEP, once triggered, to a single PDP. On the other hand, a PDP can be mapped to several PEPs. Therefore, this property holds for the traditional
architecture where there is a unique PDP.

In our approach, we consider policy-based software systems, which
enforce access control policies specified in the eXtensible Access Control Markup Language (XACML) \cite{sunxacml}. XACML is a popularly used XML-based language to specify rules in a policy. A rule specifies which subjects can take which actions on resources in which condition.
%AS a standard policy specification language, XACML has emerged as a pressing need, for expressing access control security policies in heteregenous environments.
We propose an automated approach for optimizing the process of decision
making in XACML request evaluation. Our approach includes two facets: (1) performance optimization criteria to split the PDP into smaller decision points,
(2) architectural property preservation to keep the synergy between PDP and PEPs.
The performance optimization facet of the approach lies in transforming the single PDP into smaller PDPs,
through an automated refactoring of a global access control policy (i.e., a policy governing all of access rights in the system).
This refactoring involves grouping rules in the global policy into several subsets based on splitting criteria.

More specifically, we propose a set of splitting criteria to refactor the global policy into smaller policies.
A splitting criterion selects and groups the access rules of the overall PDP into specific PDPs.
Each criterion-specific PDP encapsulates a sub-policy that represents a set of rules that share a combination
of attribute elements (Subject, Action, and/or Resource).
Our approach takes as input a splitting criterion and an original global
policy, and returns a set of corresponding sub-policies. Given a set of requests, we then compare evaluation
time of the requests against the original policy and a set of sub-polices based on the proposed splitting criteria.

The facet of architectural property preservation aims at selecting the splitting criteria that
do not alter the initial access control architecture and that
preserves the synergy property of the architecture. The proposed refactoring keeps the separation of the PDP and
the PEPs, and focuses on establishing an appropriate mapping
between them. The best splitting criteria must thus both improve performance and comply to our architecture: the relationship must be maintained,
linking each PEP to a given PDP. When refactoring the system, each PEP in our system
can be mapped to a set of rules that will be relevant when evaluating
requests. We automate this refactoring process and conduct an evaluation to show that our approach enables decision-making process to be 9 times faster than
using only a single global access control policy.

In our previous work \cite{Xengine}, we addressed performance issues in policy evaluation by using
a decision engine called XEngine that outperforms Sun PDP implementation~\cite{oasis}. XEngine transforms an original XACML policy
into its corresponding policy in a tree format by mapping attribute values with numerical values.
Our contribution in this paper goes in the same research direction as it aims to reduce the request evaluation time. However, in this paper, we
do not provide a decision engine to evaluate requests efficiently, but propose a refactoring process that impacts the policy distribution.
Our evaluation results show that evaluation time is reduced up to nine times with split policies if compared to its original global policy.
Our evaluation results show that we have a considerable performance improvement, if the policies resulting from our refactoring process are evaluated
with XEngine rather than Sun PDP.


%The evaluation results show that we have a considerable performance improvement, if the policies resulting from our refactoring process are evaluated
%with XEngine rather than Sun PDP.

This paper makes the following three main contributions:
\begin{itemize}
\item We develop an approach that refactors a single global policy into smaller policies to improve performance in terms of policy evaluation.
\item We propose a set of splitting criteria to help refactor a policy in a systematic way. The best splitting criterion is the one
that does not alter the initial access control architecture and preserves the synergy property of the architecture.
\item We conduct evaluations on real-life policies to measure performance improvement
using our approach. We compare our approach with an approach based on the global policy in terms of
efficiency. Our approach achieves more than 9 times faster than that of the approach based on the global policy in terms of evaluation time.
\end{itemize}


The remainder of this paper is organized as follows: Section~\ref{sec:context} introduces flow models for access control policy in XACML, and access policy architecture model.
Section~\ref{sec:approach} presents our adopted strategy and
Section~\ref{sec:experiment} presents evaluation results and discusses the effectiveness of our approach. Section~\ref{sec:related} discusses related work.
Section~\ref{sec:conclusion} concludes this paper and discuses future research directions..

